4 Phases to Implement an Effective Security Infrastructure

Share

As regulatory requirements continue to multiply, information security policies must meet the needs of your business without the crippling effect of bureaucracy. Here's how to establish an effective security infrastructure which will keep your IT organization high-performing and your business secure.

In the early 90s, Jim Collins wrote a book titled, Good to Great, which captured the characteristics of exceptional companies. After combing through mountains of data on a list of 1485 companies, Jim's group discovered that the "great" ones had 5 main attributes which allowed them to transition beyond just being "good". Millions of business leaders purchased his book with the high hopes of implementing the 5 attributes and making the transition themselves. To date, the book averages 300 thousand sales per year and has been translated into 32 different languages.

Have all of the companies led by all of the the business leaders who purchased his book transitioned to greatness? I don't know. But I do know that in 2014, the IT Process Institute (ITPI) released a 2nd edition of a book titled, Visual Ops Security. This member-based group took a similar approach to understanding what makes an IT department great. For 4 years, they studied the common IT practices of 850 organizations. They learned that they shared a very similar culture of change management, causality, planned work and continuous improvement.

These attributes produced the following benefits:

50% less production system change failures

50% less unintended failures as a result of releases

75% less emergency change requests

75% less repeat audit findings

50% less unplanned work and firefighting

Server-to-system-administrator ratio are 2x higher

These organizations had a culture based on change management where changes were initiated via a Change Advisory Board (CAB). These organizations viewed this key step not as bureaucratic but as a necessary step for maintaining their high performance. So when the thought of a change was introduced, nobody signed in to make it, instead they brought it to the CAB. In addition, when something went wrong with any IT asset, all of these high performing IT departments understood that 80% of outages or issues were caused by a recent change they made. Again, instead of logging in to troubleshoot the change, they went right to the change log to see what was most recently changed and then developed an approached based on that information. Reducing variance is also a key trait. In each high performing organization, there is a major push to identify changes among common systems and standardize them. This reduces outages as well as the need to execute "all hands on deck" type of unplanned efforts.

How do you get your organization there?A company possessing such cultural values among its personnel will implement Visible Ops Security measures with ease. In other cases, there is a great deal of work to be done. It takes a phased approach. Let me explain. Each phase of the Visible Ops Security improvement process is designed to bring your company closer to being on par with the aforementioned “high-performing” IT organizations.

Visible Ops Security will:

Ensure information security focuses on protecting what matters to the organization (focusing resources).

Phase 1: Stabilize the Patient and Get Plugged into ProductionThe first phase of the Visible Ops Security improvement process involves gaining a strong situational awareness for the organization and integrating new procedures into daily IT operations. This initially involves applying information security measures to change & access management processes, followed by implementation of information security incident response procedures into IT incident and problem management processes.

By accomplishing integration, we have already brought information security to daily IT operations. This will allow for the more effective management of information security & operational risks. This not only builds value for information security, IT operations and the organization as a whole, but also reduces “friendly-fire” incidents between information security and IT operations teams. Now, everyone will be on the same page!

By reducing access privileges, we have reduced the chance for errors, failures, and information security breaches. Employee account revocation will reduce the number of ghost accounts, and hence risks to the organization. Roles, responsibilities and escalation procedures are clearly defined in this phase, which helps reduce interruptions and get the right work to the right people.

Establishing situational awareness and the integration of information security are both key aspects in providing efficient reactiveness to potential security threats. Through phase 1, we have established a crucial knowledge of the organization’s current operational state and implemented information security controls into key control/access management processes.

The next phase in the Visible Ops Security improvement process involves taking a top-down, risk-based approach to understand where the organization heavily relies on IT / Information Security. Information security and IT Ops resources are limited, so we need to focus these resources on what items and functions come first for the organization!

In Phase 1 of the Visible Ops Security improvement process, we jumped into company operations to gain situational awareness and implement information security controls. Now that we have a handle on how the company is functioning, and have gained control from an information security standpoint, it will be much easier to implement changes for improvement going forward. In Phase 2, we will utilize the information and power gained in Phase 1 to clearly define the scope of information security controls needed.

Phase 2: Find Business Risks and Fix “Fragile Artifacts”

In this phase, we pay tribute to the fact that IT Ops and Information Security resources are limited. We need to focus these resources on securing what matters most to the company. This first involves an in-depth risk assessment to determine where the company is heavily relying on IT functionalities (or where it should be). Once these critical functions or “fragile artifacts” are identified, we will gain a better understanding of what information security controls may be needed.

Steps for Phase 2

Establish the initial scope of business processes and IT services / systems that are considered crucial to the organization. This will help us construct a business process worry-list to help.

Zoom Out to Rule Out – taking a broader look at operations to confirm where the company heavily relies on IT functionality and ensure proper controls are in place. This will help determine which business processes are significant enough for our attention.

Find and fix any critical IT control issues and initiate corrective actions to ensure they effectively mitigate business risks. We will notify the appropriate stakeholders and get the gaps filled!

Streamline IT controls for regulatory compliance. So, now that we know the crucial functions of IT, we need to implement a common way of thinking and functioning. Once in place, these reusable procedures will streamline audits and hence compliance.

We have now prioritized IT Ops and Information Security goals based on where the organization needs critical support. With a better understanding of business risks and what systems/data matter most to the company, we are able to more effectively allocate our limited IT resources. This will lead to quicker fixes for gaps in control systems and mitigation of issues. Now, we must move upstream to work with the appropriate groups for further improvement.

Phase 3: Implement Development and Release Controls

Phase 3 of the Visible Ops Security improvement process involves implementing information security to development/release & project management processes, as well as internal audits. In these steps, stakeholders in these processes will be included to maintain accurate situational awareness. So, we will need to define a procedure for engaging each project group when information security-relevant tasks are at hand! People are busy, so we need to prove value for information security within their functions.

Steps for Phase 3

Integrate information security into the following areas:

Internal Audit – Develop a formal relationship with the internal audit team and prove value for information security through sharing and support.

Project Management – Work with project management to integrate information security into areas like project initiation/approval processes and other key project controls.

Development Life Cycle – It is necessary to apply information security practices to the software/service development lifecycle (SDLC) rather than trying to implement security after release. Post-application of information security may be very expensive, burdensome and in many cases, impossible.

Release Management – Ensure that systems are built and deployed correctly and that configurations remain in a known and trusted state after release. This is done through the provision of information security standards throughout production and release management processes.

With these integrations, information security practices and standards are now embedded in the critical groups/processes. By doing this, we have created a secure IT environment throughout the core of the company. We are almost done, but your company is not completely safe yet! In the final phase, we need to set up a system to maintain this secure environment we have created.

In Phase 3 of the Visible Ops Security improvement process, we created a secure environment for the organization using the widespread integration of information security. Some will stop at this point and consider the job done, but they are mistaken. In the high-tech world we live in today, your information could be safe at one moment, but a new threat/risk could pop up within a matter of minutes. This is why in Phase 4 of our improvement process, we need to develop a system to maintain and continually improve the safe & secure environment we have worked so hard to create.

Phase 4: Continual Improvement

Our goal is to help the business continuously achieve its objectives, which presents a need for continual improvement. This is achieved through the monitoring and measurement of the progress we have made with the implementation of information security. Phases and tasks that can help measure short-term and long-term progress are described below:

Phase 2: Establish and update the business process worry (risk) list & inventories, updates on where the company relies heavily on IT Ops and information security, ensure compliance with updated regulations.

Phase 3: Relationships with each department where we have integrated information security are easily measured by the level of involvement and information shared.

You guessed it, continuous improvement is an ongoing and tedious process, but oh so necessary. Far too many organizations fall victim to security threats due to outdated systems and procedures. Proper implementation of the Visible Ops Security steps (phases) allows for streamlined maintenance of information security systems, and provide opportunities for improvement via collection of metrics data.

Visible Ops Wrap-up

The Visible Ops Security improvement process allows companies to achieve IT Ops & information security objectives through 4 straight-forward phases. If properly integrated through this process, information security procedures and system controls will allow a company to enjoy the fruitful benefits of being a “high-performing” organization with regards to IT & information security. Let’s review those benefits: